Patch Tuesday Closes Big Time Vulnerabilities, but Only if You Install Updates

Microsoft (and Adobe for that matter) released a slew of security updates in the May 2013 edition of their monthly patch Tuesday release. As always, if your machine isn’t set to automatically install these upgrades, then make sure you agree to install them when prompted to do so by Microsoft (or Adobe).

I don’t want to beat the dead horse too relentlessly here, but there is literally no good reason not to install security updates. Not one. You don’t have to do anything but click ‘yes,’ or, in most cases, wait a few extra minutes while your machine boots up and installs them automatically. In fact, just now, as I was writing this up, Adobe informed that it successfully updated. I didn’t even know it was installing anything. That’s how easy it was.

Ease aside, not installing security upgrades is like not getting a flu shot: it puts everyone else at higher risk of getting infected, because when you shirk on your updates, you’re contributing to the increasingly voluminous pool of easily exploitable machines. Furthermore, the problem is one of those pesky, self-perpetuation ones. As more machines are compromised, the cybercriminals have more computing power, potential account access for phishing attacks, and other resources that they can use to compromise more and more machines.

Criminals exploited one of the now-patched Internet Explorer vulnerabilities used in watering hole attacks targeting the United States Department of Labor.

Water holing or watering hole attacks are a technique whereby attackers compromise a website that they believe their real target will visit. So, in these cases, attackers infected a DoL website to snare DoE and other valuable government employees and it was also used to phish USAID workers in Cambodia.

As noted by Kaspersky Lab expert and friend of the blog, Kurt Baumgartner, Microsoft also supplied fixes for a few “less sexy” but no less important escalation of privilege vulnerabilities. EoPs, as they’re called, are often used after a compromise so that attackers can gain full user rights of infected machines. Of course, once an attacker has full user rights, he or she can do whatever nefarious thing he or she wants.